Satisability Modulo Structures as Constraint Satisfaction: An Introduction

Transcription

1 janvier 2007 Journées Francophones des Langages Applicatifs JFLA07 Satisability Modulo Structures as Constraint Satisfaction: An Introduction Hassan Aït-Kaci 1 & Bruno Berstel 2 & Ulrich Junker 2 & Michel Leconte 2 & Andreas Podelski 3 1: ILOG, Inc. hak@ilog.com 2: ILOG S.A. {bberstel,ujunker,mleconte}@ilog.fr 3: University of Freiburg podelski@informatik.uni-freiburg.de Abstract Constraint Programming (CP) and Satisability Modulo Theories (SMT) both generalize SAT w.r.t. expressiveness and propagation power. CP uses domain propagators based on mathematical structures, whereas SMT uses constraint propagators based on logical theories. In this paper, we incorporate SMT reasoning into CP and illustrate the benets of the resulting system for the problem of rule verication. 1. Introduction SAT methods have intensively been applied to hardware verication and are gaining in importance for software verication. As programs involve operations on dierent data types such as integers, oatingpoints, booleans, strings, arrays, lists, and objects, satisability problems in software verication need to take the mathematical properties of those data types into account. This can be achieved by dedicated decision procedures, which check the satisability of a formula w.r.t. dierent mathematical theories (e.g., linear arithmetics, symbolic functions, array theory etc). An important topic is then to nd correct and complete combinations of those decision procedures. Nelson and Oppen [6] showed that equality propagation between decision procedures achieves completeness if equality is the only operation that is shared by two theories. This pioneering work is fundamental for software verication and has inuenced many program veriers as explained in [5]. Whereas the Nelson-Oppen method is able to prove the unsatisability of formulas such as x = y f(x) = f(y) + 1, it does not detect the unsatisability of the formula x.startswith(y) x.length + 1 = y.length, which combines string operations with integer arithmetics. Only recent research by Tinelli and Ringeissen [11, 10] has shown how to combine decision procedures for theories that share more than equality into a semi-decision procedure for unsatisability. Craig interpolation based on conjunctions of clauses over the shared variables is one way to achieve this combination [10]. Craig interpolation is also used in the DPLL(T)-method [9], which combines propositional logic with a decision procedure for constraints that are attached to propositional variables. From the stand-point of Constraint Programming (CP), DPLL(T) as in [9] attaches a Boolean variable to each literal and maintains a global consistency among those Boolean variables w.r.t. a given theory. As maintaining global consistency is expensive, it may be more ecient to use incomplete forms of propagation [2]. 1

2 Aït-Kaci et.al. Satisability modulo theories (SMT) addresses problems with innite domains (as for integer arithmetics) or unknown domains (as for uninterpreted functions). Whereas SMT provides a semidecision procedure for unsatisability [11, 5] and requires that mathematical structures have decision procedures or rst-order axiomatizations, the interest of CP is to provide semi-decision procedures for satisability, while requiring only decision procedures for each function and each predicate in the mathematical structure. Informally, we can say that SMT is able to enumerate proofs, while CP is able to enumerate solutions. SMT achieve this by propagating literals (i.e., constraints) among decision procedures, whereas CP propagates reduced variable domains among constraints. As the CP framework is quite general, it is possible to incorporate SMT-based reasoning by creating all relevant constraints subject to SMT-propagation in advance and by posting a global constraint on them that encapsulates a decision procedure. However, this approach does not work for uninterpreted functions and other purely symbolic theories, which do not have a xed semantical counterpart. In this paper, we address this issue of combining symbolic and semantic reasoning within CP, which is motivated by a verication problem, namely that of the consistency and coherence of production rules. The major obstacle is that uninterpreted and interpreted functions work on dierent universes such as Herbrand terms and integer domains and that the same expression may be interpreted dierently by dierent decision procedures. In order to obtain an eective propagation, we need to combine propagations on various domains, such as equality propagation over Herbrand terms or interval propagation over numerical constraints. A recent paper of Baader and Ghilardi [1] uses an explicit homomorphism to connect dierent copies of the constraints, which can be interpreted dierently. We introduce copies of the interpreted functions. We interpret the original symbols such as+ syntactically (on Herbrand terms) and the copy + i semantically by the integer sum. We connect both via a function h, which is a homomorphism since we add the constraint h(t 1 + t 2 ) = i h(t 1 ) + i h(t 2 ) for each subterm t 1 + t 2 of the given formula. Unlike [1], we are not connecting theories, but mathematical structures and we do not need to split the initial formula into separate subformulas. Structure connection turns out to be very naturally compared to theory connection as it just attaches meaning to syntactic terms via the well-known concept of a homomorphism between structures. We show that this is sucient to test the satisability of a quantier-free formula within a CP approach. 2. Verication and Constraint Programming In this section, we show that even very simple verication problems can prot from dierent types of propagation including Boolean propagation, equality propagation, and the propagation of numeric intervals. We explain why Constraint Programming can be benecial for verication and why it needs to be extended by other propagation methods for this purpose. We consider a simple problem occurring in rule verication. Business rule management systems are becoming a popular way to manage business policies in business applications such as pricing, claim processing, loan accrediting, and others. As business rules can be entered by dierent experts, verication and validation methods are needed to consolidate the given rule set. Suppose that an expert dealing with a customer delity program has entered a pricing rule that adds a discount of 20% to customer orders of at least Euros. Formally, the rule is expressed as a production rule consisting of a condition, which is applied to given objects, and an action, which modies those objects. Our rule is applicable if there is an object o which is an instance of type Order and which has a value greater than or equal to If the rule is applied then the discount of the object is increased by 20: r1: if o: Order(value >= 10000) then o.discount += 20; The manager of the rule base now imposes that discounts must always be within the range 0 to 30%. She asks whether there is any rule that can move a discount out of this domain. We thus obtain a 2

3 Satisability Modulo Structures verication problem, which consists in checking whether a safety property can be violated. A typical approach to solve this problem is to see whether there is a scenario in which the rule is applied and the property is violated. For this purpose, we need to model the rule execution, which represents a transition of a state s 1 to a state s 2. We model this transition between unknown states by a quantierfree rst-order formula. We use a constant symbol o for the matched object and unary terms indexed by the state for the value and discount attributes. value s1 (o) discount s2 (o) = discount s1 (o) + 20 (1) We also state that the initial discount of the order is within [0, 30]: discount s1 (o) 0 discount s1 (o) 30 (2) We also state that the discount does not change for any other object that is dierent to o. In the simple example, we consider one unknown object in addition to o and use the variable x to denote it: (x = o) discount s2 (x) = discount s1 (x) (3) Furthermore, we suppose that the transition moves the discount of the object x out of the range [0, 30]: discount s1 (x) 0 discount s1 (x) 30 discount s2 (x) < 0 discount s2 (x) > 30 (4) We then combine (1), (2),(4), and (3) into a conjunction φ and ask whether φ it is satisable. In rst-order logic, this requires to nd a model of φ. A model consists of a domain and of functions and relations over this domain that interpret the given symbols such that the formula evaluates to true. It is important to note that the symbols for equality, sum, and order have a xed interpretation. We now discuss informally how the problem can be solved by dierent forms of propagation. We associate an (innite) interval domain to every numerical expression such as discount s2 (x). Furthermore, we associate a Boolean domain {T, F} to each atomic formula such as x = o and discount s2 (x) < 0. Initially, interval propagation reduces the interval domain of value s1 (o) to [10000, ) and the interval domains of discount s1 (x) and of discount s1 (o) to [0, 30]. Moreover, the sum constraint in (1) reduces the domain of discount s2 (o) to [20, 50]. This means that any model of φ will evaluate those expressions to values within the reduced domains. We now ask whether a model of φ may evaluate x = o to false. We therefore set the Boolean domain of x = o to {F}. Boolean propagation of (3) will then set the Boolean domain of discount s2 (x) = discount s1 (x) (5) to {T}. As this constraint is true now, it will propagate the interval [0, 30] from discount s1 (x) to discount s2 (x). Hence, neither the constraint discount s2 (x) < 0, nor discount s2 (x) > 30 can be satised, meaning that their Boolean domains are reduced to {F}. The disjunction in (4) is thus violated and there is no model of φ that evaluates x = o to false. Therefore, the constraint x = o must be true and we set its domain to {T}. Neither Boolean propagation, nor interval propagation can now proceed with problem solving. However, equality propagation can do so as we can deduce that discount s2 (x) must be equal to discount s2 (o) since x is equal to o. Hence, equality propagation posts a new constraint: discount s2 (x) = discount s2 (o) (6) Interval propagation via this constraint sets the domain of discount s2 (x) to [20, 50]. As a consequence, the constraint discount s2 (x) < 0 is violated and its Boolean domain is set to {F}. Boolean 3

4 Aït-Kaci et.al. propagation via (4) then sets the domain of discount s2 (x) > 30 to {T}. Interval propagation then reduces the domain of discount s2 (x) to [31, 50]. This interval is propagated via (6) to discount s2 (o) and the sum constraint in (1) reduces the domain of discount s1 (o) to [11, 30]. In this particular example, we can nd a model of φ for any value in this domain. Hence, a safety violation can occur if x is equal to o and the initial discount of o is within [11, 30]. The rule verication system therefore alerts the manager: When applying rule r1 to an order o with discount strictly greater than 10 the discount of o will be outside the domain of [0, 30]. As a consequence, the manager of the rule base modies the rule as follows: r1': if o: Order(value >= 10000; discount <= 10) then o.discount += 20; The safety violation check for this new rule adds the constraint discount s1 (o) 10 to the conjunction φ. This new conjunction is unsatisable as we already deduced that discount s1 (o) must be strictly greater than 10 when φ is given. This example shows that dierent kinds of propagations are useful for nding models of a quantierfree formula. In the example, we used interval propagation, Boolean propagations, and equality propagations. Other forms of propagations based on modular arithmetics for integers [4], regular expressions for strings, and others are also useful. It is important that these propagations are used altogether and operate on a single problem space. As the propagations reduce domains that are linked together, they can interact very tightly. We have seen that a Boolean propagation can trigger an equality propagation which triggers an interval propagations. The interval propagation may trigger Boolean propagations and so on. It is thus important to combine the dierent propagations within a single solver which maintains a single problem space in form of domains. This guarantees a good synergy among the propagations. If multiple solvers with multiple problem spaces were used, then signicant eort for coordinating these spaces would be needed. Constraint Programming (CP) provides a well-elaborated framework in which dierent forms of propagation can interact quickly. We will see that we gain a semi-decision procedure for satisability of quantier-free formulas (modulo given mathematical structures) within CP (supposed that domains are enumerable and constraints are decidable), which is very well-suited for verication problems such as safety checks. 3. Satisability Modulo Structures In the last section, we gave an example of a rule verication problem and showed how it can be expressed as the satisability problem of a quantier-free rst-order formula. Many other problems in Computer Science, Operations Research, and Articial Intelligence can be formulated as satisability problems in a logical language. It is often the case that this language mixes symbols that can freely be interpreted with symbols that have a xed interpretation for the given problem. In the last section, we used constant symbols such as o and function symbols such as discount s1 to express statements about objects. The interpretation of these symbols can freely be chosen. Furthermore, we used the binary function symbol + to express a sum of integers and the binary predicate symbol for the greater-than-or-equal-to relation among integers. These symbols have a xed mathematical meaning for the problem of consideration. In other terms, we use a xed mathematical structure such as integer arithmetics to interpret this second class of symbols. There are two approaches to solve satisability problems where some symbols are interpreted within a given mathematical structure. The rst approach, called satisability modulo theories (SMT), requires an axiomatization of the mathematical structure in form of a rst-order theory. The problem 4

5 Satisability Modulo Structures then consists in nding a model of this rst-order theory that also satises the original constraints. The second approach, which we call satisability modulo structures (SMS), tries to extend the given mathematical structure by an interpretation of the yet uninterpreted symbols. Hence, the problem consists in nding a model of the original constraints that extends the given mathematical structure. SMT requires an axiomatization of the mathematical structure and thus can address only limited forms of integer arithmetics, such as Presburger arithmetics, for which axiomatizations exist. As SMT adds universally quantied formulas (the axioms) to the given constraints, it leads to a semi-decision procedure for unsatisability. This means that an SMT procedure can prove the inconsistency of an unsatisable problem within a nite number of steps, but may run forever if the problem is satisable. The SMS approach can address arbitrary mathematical structures that have enumerable universes and decidable predicates and functions. It provides a semi-decision procedure for satisability as it only needs to choose values for the subterms of the quantier-free formula. Furthermore, it can prot from specic solving procedures that are available for the mathematical structure. An example are the interval propagation methods explained in the last section. Satisability procedures as used in Mathematical Programming and Constraint Programming follow an SMS approach, but require that all symbols are interpreted by a mathematical structure. In this case, the satisability procedure just needs to determine values of the variables. In the general SMS setting, the satisability procedure also needs to choose the interpretation of terms involving uninterpreted functions. A convenient way is to use a Herbrand structure and to interpret those terms by themselves. However, we encounter two technical diculties. Firstly, our constraints make statements about the equality and disequality of objects. We may write formulas such as a = b (discount(a) = discount(b)). This formula is unsatisable if we interpret the syntactic equality by the identity relation. In this case, we interpret a and b by the same value. As a consequence, the ground terms discount(a) and discount(b) are interpreted by the same values as well and the formula is unsatisable. Structures which interpret the syntactic equality by the identity relation are called equality structures (cf. [8], section 3.1). Now consider the formula (a = b) discount(a) = discount(b). Although a and b represent dierent objects, their discounts may be equal and the formula should be satisable. However, a Herbrand structure is not a suitable equality structure for our purpose. It is based on a free algebra (cf. e.g., [8], section 3.1), which means that the equality of two terms f(t 1 ) = f(t 2 ) implies the equality of their arguments t 1 = t 2. As a consequence, the second formula is unsatisable in a Herbrand structure which interprets the syntactic equality by the identity relation. Our problem consists in nding a model of a rst-order formula that interprets the syntactic equality by an identity relation. However, we can transform this satisability problem into a dierent satisability problem which uses a Herbrand structure. Herbrand structures have the advantage that less values need to be chosen by the satisability procedure. If only uninterpreted function and predicate symbols are given, the satisability procedure just needs to determine the interpretation of the predicate symbols, including the syntactic equality. We limit the interpretation of the syntactic equality to a congruence relation, i.e. an equivalence relation that has the following two properties: t 1 t 1,..., t k t k imply f(t 1,..., t k ) f(t 1,..., t k ) for all functions f t 1 t 1,..., t k t k imply p(t 1,..., t k ) = p(t 1,..., t k ) for all predicates p (7) If a Herbrand structure interprets the syntactic equality by a congruence relation, then we call it a Herbrand congruence structure. If the given quantier-free formula only contains uninterpreted function and predicate symbols in addition to the syntactic equality, then it is satisable in an equality structure if and only if it is satisable in a Herbrand congruence structure. This correspondence follows from well-known results about equality structures and congruence relations (cf. e.g., [8], section 3.1). We are thus able to use Herbrand structures for equality constraints over uninterpreted functions. A second diculty stems from the fact that the quantier-free formula may contain interpreted as well as uninterpreted function and predicate symbols. An example is a = b 10 discount(a) 5

6 Aït-Kaci et.al. discount(b) 20. Whereas the predicate symbol represents the greater-than-or-equal-to relation over integers, the function symbol discount can be interpreted freely. Following the discussion above, we will interpret the ground terms discount(a) and discount(b) by themselves. However, these terms occur as arguments of the greater-than-or-equal-to relation that expects integer arguments. This means that we need two interpretations of the terms discount(a) and discount(b), namely in form of Herbrand terms and in form of integers. If we chose only the integer interpretation, then we would have diculties to interpret terms such as isgood(discount(b)) which apply other uninterpreted functions to an integer-valued term. Recent work of Baader and Ghilardi [1] on theory combination allows the coexistence of multiple interpretations of the same symbols within a mathematical structure. Baader and Ghilardi use a many-sorted rst-order logic. They introduce copies f of certain function symbols f and they ensure that f and f range over dierent sorts S, S. These sorts can be interpreted by dierent universes U, U. Thanks to this, the copy f can be interpreted dierently than the origin f. Furthermore, Baader and Ghilardi introduce an explicit connection function from the sort S to the sort S. This function connects a term f(t) to its copy f (t ) and represents a homomorphism between the two interpretations since it has to satisfy the formula h(f(t)) = f (h(t)). We apply this approach in the following way. We consider a many-sorted signature Ω, which consists of a set of sorts, a set of constant symbols, a set of function symbols, and a set of predicate symbols. Furthermore, we consider a quantier-free formula φ formulated with the symbols in Ω. We distinguish a sub-signature Ω 1, which contains those sorts and symbols from Ω which have a xed meaning for our problem. We consider a mathematical structure A 1 that interprets the symbols in Ω 1. In order to permit unlimited equality reasoning over Herbrand terms, we will interpret all the symbols in Ω by a Herbrand congruence structure as explained above. This Herbrand structure will interpret the symbols in Ω 1 in a dierent way as specied by A 1. We therefore introduce a copy Ω 2 of the signature Ω 1. We interpret the copies in the same way as the original sorts and symbols. Let A 2 be the corresponding mathematical structure. We can safely combine a Herbrand congruence structure that interprets Ω with the structure A 2 that interprets Ω 2 as the two signatures Ω and Ω 2 do not share any sort and symbol. Furthermore, we introduce connection functions h from the sorts of Ω 1 to the sorts of Ω 2. As a result, we obtain a combined signature Ω which consists of the original signature Ω, the copy Ω 2, and the connection functions h. We consider mathematical structures for Ω that interpret Ω by a Herbrand congruence structure, Ω 2 by A 2, and the connection functions h by homomorphisms that ensure that the following properties are satised: h(f(t 1,..., t k )) = f (h(t 1 ),..., h(t k )) for all function symbols f and their copies f.p(t 1,..., t k ) p (h(t 1 ),..., h(t k )) for all predicate symbols p and their copies p (8) We call the resulting structure an Ω-Herbrand expansion of A 1 over (Ω 1, Ω 2 ). This notion provides our second transformation result: A quantier-free formula over Ω is satisable in an equality structure that coincides with A 1 on the symbols in Ω 1 if and only if there is an Ω-Herbrand expansion of A 1 over (Ω 1, Ω 2 ). Whereas the original satisability problem consists in nding an equality structure that extends A 1, we can now solve our problem by seeking a Herbrand structure which is linked to A 1 via a homomorphism. In the next section, we describe how this problem can be solved by Constraint Programming. 4. Constraint Networks for Satisability Modulo Structures Given a quantier-free formula φ, we build a constraint network to determine a model for the formula if it is satisable. A constraint network consists of a set of variables and a set of constraints. Each variable x has a domain D(x). Each constraint consists of a tuple (x 1,..., x k ) of variables and a k-ary relation R which is a subset of D(x 1 )... D(x k ). A constraint network represents a constraint 6

7 Satisability Modulo Structures satisfaction problem. This problem consists in nding an assignment of values to the variables such that the value of each variable belongs to its domain and all the constraints are satised. An assignment satises a constraint with variables (x 1,..., x k ) and relation R if the vector of values of those variables is an element of R. We introduce variables for the unknown parts of the Ω-Herbrand expansion of A 1. As the subterms t of φ are interpreted by themselves, we do not introduce variables for the subterms themselves. If f is an interpreted function symbol from A 1, then we introduce the variables χ h(f(t1,...,t k )), χ h(t1),..., χ h(tk ) for the unknown interpretation of the terms h(f(t 1,..., t k )), h(t 1 ),..., h(t k ). Furthermore, we introduce a variable χ ψ with Boolean domain for each subformula ψ of φ. For equality propagation, we furthermore need a variable χ t1=t 2 with Boolean domain for two arbitrary subterms 1 t 1 and t 2 of φ. We then express the following constraints: 1. Logical constraints: If φ contains a subformula of the form ψ, then we introduce a binary constraint with variables χ ψ, χ ψ and the relation R := {(F, T), (T, F)}. If φ contains a subformula of the form ψ 1 ψ 2 then we introduce a ternary constraint with variables χ ψ1, χ ψ2, χ ψ1 ψ 2 and the relation R := {(F, F, F), (F, T, F), (T, F, F), (T, T, T)}. If φ contains a subformula of the form ψ 1 ψ 2 then we introduce a ternary constraint with variables χ ψ1, χ ψ2, χ ψ1 ψ 2 and the relation R := {(F, F, F), (F, T, T), (T, F, T), (T, T, T)}. 2. Congruence constraints: If φ contains two subterms f(t 1,..., t k ) and f(t 1,..., t k ), then we introduce a constraint with variables χ t1=t,..., χ 1 t k =t, χ f(t k 1,...,t k )=f(t 1,...,t k ) and a relation that ensures that χ f(t1,...,t k )=f(t 1,...,t k ) is true i all the χ t1=t,..., χ 1 t k =t are true. We introduce k similar congruence constraints for subformulas p(t 1,..., t k ) and p(t 1,..., t k ) of φ. Furthermore, we have to ensure that the syntactic equality is interpreted by an equivalence relation. We ensure reexivity by setting χ t1=t 2 to T whenever t 1 and t 2 are the same terms. The symmetry and transitivity can be guaranteed by a congruence constraint for the equality predicate for all subterms t 1, t 2, t 1, t 2 of φ. This means we introduce a ternary implication constraint with variables χ t1=t,χ 1 t 2=t,χ 2 (t 1=t 1 )=(t2=t 2 ). The congruence constraints can be encoded eciently in form of a global constraint that encapsulates the congruence closure algorithm of Nelson and Oppen [7]. 3. Homomorphism constraints: If φ contains a subterm of the form f(t 1,..., t k ) and f is a function symbol in Ω 1 then we introduce a constraint on variables χ h(t1),..., χ h(tk ), χ h(f(t1,...,t k )) that has the relation R(f) := {(v 1,..., v k, v) v = f A1 (v 1,..., v k )} where f A1 is the interpretation of f in the structure A 1. If φ contains a subformula of the form p(t 1,..., t k ) and p is a predicate symbol in Ω 1 then we introduce a constraint on variables χ h(t1),..., χ h(tk ), χ p(t1,...,t k ) that has the relation R(p) := {(v 1,..., v k, v) v = p A1 (v 1,..., v k )} where p A1 is the interpretation of p in the structure A 1. For any two subterms t 1, t 2 of φ that both have a sort S from Ω 1, we introduce a constraint on the variables χ h(t1), χ h(t2), χ t1=t 2 that ensures that χ t1=t 2 is true whenever χ h(t1) and χ h(t2) are equal. 4. Satisfaction constraint: nally we introduce a constraint on χ φ with relation {T} stating that φ must be true, The resulting CSP has a solution if and only if there is a Ω-Herbrand expansion of A 1 over (Ω 1, Ω 2 ). The CSP can be solved by dierent methods such as systematic search, interval propagation, propagation of modular arithmetics [4], and other methods dedicated to the mathematical structure under consideration. 1 For the sake of brevity, we do not discuss the possible optimizations of this constraint network. 7

8 Aït-Kaci et.al. 5. Conclusion We explained the principles of how to integrate SMT reasoning capabilities into CP, which enables CP methods to test the satisability of quantier-free formulas modulo given mathematical theories, as it is required by software verication. A major diculty is the incorporation of equality reasoning over uninterpreted functions. We achieve this by a double representation in the sense of [1]. Equality propagation is done over Herbrand terms and domain propagation is done by constraints. We showed how to construct a hybrid constraint network coupling those propagations and illustrated the possible synergy obtained by this connection. A topic of future work is the incorporation of advanced forms of conict learning. CP allows more compact forms of conicts and thus promises faster interpolation methods [3]. Bibliography [1] Franz Baader and Silvio Ghilardi. Connecting many-sorted theories. In CADE, pages , [2] Harald Ganzinger, George Hagen, Robert Nieuwenhuis, Albert Oliveras, and Cesare Tinelli. DPLL(T): Fast decision procedures. In CAV, pages , [3] Ulrich Junker and Olivier Lhomme. Return of the JTMS: Preferences orchestrate conict learning and solution synthesis. In ECAI, pages , [4] Michel Leconte and Bruno Berstel. Extending a CP solver with congruences as domains for program verication. In Proceedings of the 1st workshop on Constraints in Software Testing, Verication and Analysis, pages 2233, [5] Zohar Manna and Calogero G. Zarba. Combining decision procedures. In Formal Methods at the Crossroads. From Panacea to Foundational Support, volume 2757 of Lecture Notes in Computer Science, pages Springer, [6] Greg Nelson and Derek C. Oppen. Simplication by cooperating decision procedures. ACM Trans. Program. Lang. Syst., 1(2):245257, [7] Greg Nelson and Derek C. Oppen. Fast decision procedures based on congruence closure. J. ACM, 27(2):356364, [8] Michael M. Richter. Logikkalküle. Teubner, [9] Cesare Tinelli. A DPLL-based calculus for ground satisability modulo theories. In JELIA, volume 2424 of Lecture Notes in Computer Science, pages , [10] Cesare Tinelli. Cooperation of background reasoners in theory reasoning by residue sharing. Journal of Automated Reasoning, 30:131, [11] Cesare Tinelli and Christophe Ringeissen. Unions of non-disjoint theories and combinations of satisability procedures. Theoretical Computer Science, 290:291353,